Comment | What UK politicians can, and must, do about the Cambridge Analytica/Facebook scandal

The ongoing Facebook and Cambridge Analytica scandal is a wake-up call for the UK public and policy-makers. Privacy International offer seven simple actions UK politicians can, and must, take now to turn things around.

President Barack Obama, with Facebook CEO Mark Zuckerberg, holds a town hall meeting at Facebook headquarters in Palo Alto, California, April 20, 2011. (Official White House Photo by Lawrence Jackson)

The ongoing Facebook and Cambridge Analytica scandal is a wake-up call for UK policy-makers who too often encourage and promote digital industries over the protection of people’s personal data. The scandal has shown that the public is concerned over companies’ exploitation of their data. The current lack of transparency into how companies are using people’s data is unacceptable and needs to be addressed.

Reform should not be limited to the behaviour of individual companies, however. Consumers are confronted with an entire hidden ecosystem of companies harvesting and sharing their data. From credit scoring and insurance quotations to targeted political communication, this data is being used for far-reaching purposes.

With this in mind, we would like to offer a few simple actions politicians must take:

Data protection and privacy are fundamental rights. To enshrine data protection as a fundamental right in the UK post-Brexit, the EU Charter of Fundamental Rights needs to be retained. Data protection and privacy rights are also fundamental to users’ trust in new technologies, because they address the vast power imbalances between consumers and those that process their data. Without such consumer trust, innovation cannot thrive. Countless polls and consumer surveys show how consumers’ trust in new technologies, like AI, ultimately depends on how these technologies prove to be effective in protecting consumers’ privacy. (See thisEurobarometer study)

People should be in control of their data, no matter which company or agency holds it. Yet politicians are promoting the notion of ‘data ownership’ instead. Ownership implies that people can sell away their fundamental rights. This is a false solution that risks exacerbating the imbalance of power rather than addressing it. It will result in the exploitation of people’s economic concerns at the expense of their personal data and fundamental right. Instead, data protection law provides individuals with rights and protections on the processing of all personal data, regardless of who holds it. Privacy shouldn’t be a luxury.

3) Data Protection and consumer protection authorities need more resources to do their job

The Facebook and Cambridge Analytica scandal shows that even blatant violations of the law only ever reach the public eye if someone investigates. Data protection and consumer protection authorities play invaluable roles by instigating investigations, responding to complaints and taking enforcement action. Government must provide more resources and powers to consumer and data protection authorities to do their job. In the case of the Information Commissioner, the Data Protection Bill currently in the House of Commons provides a golden opportunity.

4) Political parties cannot be above the law

The current draft of the UK Data Protection Bill contains a number of problematic provisions. Of particular concern is paragraph 17 of Schedule 1 to the Bill which permits registered political parties to process personal data ‘revealing political opinions’ for the purposes of their political activities. While political parties’ engagement with voters is a key part of a healthy democracy, we are concerned that this exception would continue to give political parties too much leverage in processing data for targeted online advertising. Paragraph 17 should be removed from the Bill or, at the very least, amendments must be made to ensure that the scope of the condition is proportionate, and adequate safeguards are established. (See Privacy International’sevidenceon the UK’s Data Protection Bill and proposed amendments.)

5) Individuals need effective remedies

The current scandal shows that many unlawful practices take place without being seen or noticed, and are only revealed when independent researchers conduct lengthy and detailed investigations. This is why the EU’s General Data Protection Regulation (GDPR) includes Article 80.2, an optional provision that would allow qualified non-profit organisations to pursue data protection infringements on their own initiative. Sadly, the UK Government chose to not include this provision in the UK’s Data Protection Bill. We urge the House of Commons to implement this crucial provision. (See Privacy International’sevidenceon the UK’s Data Protection Bill and proposed amendments.)

6) Support strong e-Privacy regulations

If you are worried about third-party data harvesting on Facebook, you should be really worried about the state-of-the-art tools in online and location tracking. The draft EU ePrivacy Regulation complements the GDPR by providing clear and specific rules on issues such as tracking of individuals online and offline and the use of location data. Companies are lobbying to prevent this regulation from being adopted. Governments are dragging their feet, and there is a real risk that the law will not see the light of day, despite the strong support of the European Parliament and consumer protection organisations. (See Privacy Internationalbriefingon ePrivacy regulation.)

7) A right to know when you’re politically targeted

Political campaigning and advertising must be more transparent and therefore accountable. Political parties need to report which data analytics companies they have contracted, how much they are paid, and exactly what role these companies will have in campaigning. Simply describing activities as ‘surveys’ or ‘research’ is unacceptable, as data can be misused under such vague descriptions. In addition, political parties must be transparent about which online targeted messages they have funded.

Now is the time to identify the stringent safeguards needed to protect our data. We urge you to send these recommendations to your Member of Parliament.